Mail archive
alpine-devel

Re: [alpine-devel] 3.3 proposal: reduce number of SUID binaries as much as possible

From: eleksir <eleksir_at_exs-elm.ru>
Date: Tue, 26 May 2015 23:19:05 +0300

Sure. Let's remove suid from sudo and su. It will be clever joke when
you try to switch to root and fail. Go ahead you security freak, remove
all suid bits and patch kernel/libc to remove all roots of this suid evil.

C'mon people, stop already this talks about "cleaning" system. Submit
patches, make upstream (not distro maintainers) accept them.


26.05.2015 16:46, Isaac Dunham пишет:
> On Tue, May 26, 2015 at 04:32:01AM -0500, William Pitcock wrote:
>> Hello,
>>
>> I would like to see a general reduction of SUID binaries where
>> possible. For example, a lot of APKBUILDs have options=suid when
>> there's probably no real reason for it.
>>
>> Examples include ...
>>
>> main/apache2
>> main/atop
> Perhaps a workaround for grsec limits on sysfs/procfs permissions?
>
>> main/email2trac
>> main/fping
>> main/fuse
>> main/haserl
>> main/krb5
>> main/mailx
>> main/man (i have no idea why you need SUID to view manpages???)
> On Debian, this is an install-time choice: suid allows caching manpages
> in "catdoc" (preformatted text) format.
>
>> main/mate-applets (why would we ever give a GUI defacto root???)
> Yikes.
> I'd guess this might be the same as atop.
>
>> main/nagios-plugins
>> main/vte
> Something to do with ptys, I'm not sure exactly what.
>
>> main/xscreensaver
> A screensaver needs to be able to lock the screen, and presumably
> also require a password.
>
>
> ---
> Unsubscribe: alpine-devel+unsubscribe_at_lists.alpinelinux.org
> Help: alpine-devel+help_at_lists.alpinelinux.org
> ---
>



---
Unsubscribe:  alpine-devel+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-devel+help_at_lists.alpinelinux.org
---
Received on Tue May 26 2015 - 23:19:05 UTC